Dempster-Shafer Evidence Combining for (Anti)-Honeypot Technologies

Honeypots are network surveillance architectures designed to resemble easy-to-compromise computer systems. They are deployed with the aim to trap hackers in order to help security professionals capture, control, and analyze malicious Internet attacks and other activities of hackers. A botnet is an army of compromised computers controlled by a bot herder and used for illicit financial gain. Botnets have become quite popular in recent Internet attacks. Since honeypots have been deployed in many defense systems, attackers constructing and maintaining botnets are forced to find ways to avoid honeypot traps. In fact, some researchers have even suggested equipping normal machines by misleading evidence so that they appear as honeypots in order to scare away rational attackers. In this paper, we address some aspects related to the problem of honeypot detection by botmasters. In particular, we show that current honeypot architectures and operation limitations may allow attackers to systematically collect, combine and analyze evidence about the true nature of the machines they compromise. In particular, we show how a systematic technique for evidence combining such as Dempster-Shafer theory can allow botmasters to determine the true nature of compromised machines with a relatively high certainty. The obtained results demonstrate inherent limitations of current honeypot designs. We also aim to draw the attention of security professionals to work on enhancing the discussed features of honeypots in order to prevent them from being abused by botmasters.